Skip to content

fix: mitigate set-paused and set-fee-basis-points timelock bypass (Issue #224)#253

Merged
Mosas2000 merged 34 commits intomainfrom
fix/set-paused-timelock-bypass
Mar 10, 2026
Merged

fix: mitigate set-paused and set-fee-basis-points timelock bypass (Issue #224)#253
Mosas2000 merged 34 commits intomainfrom
fix/set-paused-timelock-bypass

Conversation

@Mosas2000
Copy link
Copy Markdown
Owner

@Mosas2000 Mosas2000 commented Mar 10, 2026

Summary

Addresses the timelock bypass vulnerability where set-paused and set-fee-basis-points can circumvent the 144-block timelock in the deployed mainnet contract. Since the contract is immutable on mainnet, mitigation is applied at the frontend, monitoring, documentation, and operational layers.

Closes #224

Changes

Frontend

  • AdminDashboard component with timelocked-only pause and fee controls
  • useAdmin hook polling contract owner, pending changes, and block height
  • admin-contract.js read-only query helpers with Clarity hex parser
  • admin-transactions.js timelocked transaction builders (propose/execute/cancel)
  • timelock.js utility module with countdown, progress, and formatting
  • Admin nav link restricted to contract owner only
  • Visual timelock progress bar on pending change cards
  • ESLint rules banning set-paused and set-fee-basis-points string literals

Chainhook Monitoring

  • bypass-detection.js module flagging direct admin calls that skip timelock
  • /api/admin/events endpoint for admin event history
  • /api/admin/bypasses endpoint for detected bypass events
  • Bypass scanning integrated into event processing loop

Documentation

  • Timelock bypass vulnerability audit report
  • Admin operations guide with timelocked procedures and monitoring
  • Contract upgrade strategy for v2 bypass removal
  • Security policy with timelock disclosure
  • README updated with- README updated with- README updated with- README updated with- README updatimelock utilities
  • 18 unit tests for Clarity hex parser
  • 19 unit tests for admin transaction builders
  • 9 print event verification tests for timelocked and bypass operations
  • 25 contract tests for timelocked pause/fee propose/execute/cancel cycles

Verification

  • Frontend buil- Frontend buil- Frontend buil- Frontend buil- Frontets- Frontend buil- Frontend buis from missing simnet contracts)
  • 77 frontend unit tests pass
  • No Vercel deployment impact

Mosas2000 added 30 commits March 10, 2026 05:32
@Mosas2000
Add timelock bypass vulnerability audit report
67dde04 
Document the dual admin path vulnerability where set-paused and
set-fee-basis-points bypass the 144-block timelock mechanism in the
deployed mainnet contract. Classify severity as high with detailed
risk assessment, root cause analysis, and mitigation strategy.
@Mosas2000
Add admin operations guide with timelocked procedures
fc75916 
Define standard operating procedures for pause and fee management
using the propose-wait-execute pattern. Document when emergency
bypass is justified, pending change queries, multisig integration,
and incident response procedures.
@Mosas2000
Add contract upgrade strategy for timelock bypass remediation
ebee1d6 
Outline the v2 contract design that removes direct bypass functions,
adds emergency-specific authorization, includes cancel-pause-change,
and implements timelock extension. Describe migration strategy from
v1 to v2 with deployment checklist and timeline.
@Mosas2000
Add security policy with timelock bypass disclosure
ee9fbcf 
Document the known dual-path admin vulnerability, timelocked vs
direct bypass functions, post-condition enforcement, ownership
transfer safety, and contributor security checklist.
@Mosas2000
Fix incorrect admin function names in README contract table
ff53177 
Replace non-existent set-fee and toggle-pause with the actual
function names: set-fee-basis-points, set-paused, propose-fee-change,
execute-fee-change, cancel-fee-change, propose-pause-change, and
execute-pause-change. Note which functions bypass the timelock.
@Mosas2000
Add pending change and governance read-only functions to README
1902f6d 
Include get-pending-fee-change, get-pending-pause-change,
get-multisig, and get-contract-version in the read-only functions
table to document the full admin query surface.
@Mosas2000
Add timelock and governance safeguards to README security section
f080cda 
Document the 144-block timelocked admin changes, frontend enforcement
of timelocked paths over direct bypass, and optional multisig
governance layer in the security section.
@Mosas2000
Add timelocked pause change test suite with proposal and execution
b5bdc6a 
Test propose-pause-change authorization, pending state verification,
timelock enforcement before 144 blocks, successful execution after
timelock, non-admin execution rejection, no-pending-change rejection,
state cleanup after execution, and proposal override behavior.
@Mosas2000
Fix read-only result access pattern in timelock tests
b1c00f0 
Change result.data to result.value to match Clarity value wrapper
structure returned by simnet callReadOnlyFn. Fix expect.any assertion
that is incompatible with Cl.uint constructor.
@Mosas2000
Add timelock utility module for block-based countdown calculations
b21daa3 
Implement TIMELOCK_BLOCKS constant, estimateSecondsRemaining,
isTimelockExpired, timelockProgress, formatDuration,
formatBlocksRemaining, and getPendingChangeStatus helpers for
admin dashboard timelock display logic.
@Mosas2000
Add admin contract read-only query helpers
ac62e02 
Implement fetchCurrentBlockHeight, fetchPauseState, fetchFeeState,
fetchContractOwner, fetchMultisig, and fetchCurrentFee read-only
query functions. Include a Clarity hex value parser for decoding
tuple, uint, bool, and optional response types.
@Mosas2000
Add useAdmin hook for contract owner and pending change state
c1fce54 
Provide reactive admin state including contract owner, ownership
check, block height, pause state, fee state, and computed pending
change statuses. Poll the contract at a configurable interval and
expose a manual refresh function.
@Mosas2000
Add timelocked admin transaction builders
c6acce4 
Implement proposePauseChange, executePauseChange, proposeFeeChange,
executeFeeChange, and cancelFeeChange using openContractCall with
PostConditionMode.Deny. Explicitly exclude direct bypass functions
set-paused and set-fee-basis-points from the frontend API.
@Mosas2000
Add AdminDashboard component with timelocked-only controls
21a746a 
Build the admin dashboard with PauseSection and FeeSection sub-
components that exclusively use propose-wait-execute operations.
Include timelock progress bars, block countdown display, pending
change cards, and owner-only access guard. Direct bypass functions
are intentionally excluded from the UI.
@Mosas2000
Import Shield icon and lazy-load AdminDashboard component
3969eb9 
Add Shield from lucide-react for admin nav item icon and register
AdminDashboard as a lazy-loaded component for code-splitting.
@Mosas2000
Add /admin route for owner-only admin dashboard
3e31d45 
Register the AdminDashboard component at /admin with the connected
user address and toast callback. The component enforces owner-only
access internally, so all authenticated users can navigate to the
route but non-owners see an access restricted message.
@Mosas2000
Add admin link to main navigation bar
9d00972 
Include the Admin tab with Shield icon in the navigation items
array. The route is visible to all authenticated users but the
AdminDashboard component enforces owner-only access internally.
@Mosas2000
Implement timelock utility module with countdown calculations
fff69df 
Add block-based countdown helpers including blocksRemaining,
estimateTimeRemaining, getPendingChangeStatus, timelockProgress,
formatBlockHeight, and formatBasisPoints. Define TIMELOCK_BLOCKS
constant of 144 and AVERAGE_BLOCK_TIME_SECONDS of 600.
@Mosas2000
Implement AdminDashboard with timelocked-only pause and fee controls
661babf 
Build the full AdminDashboard component with owner-only access guard,
pause propose/execute controls, fee propose/execute/cancel controls,
status cards for block height and owner, pending change cards with
countdown timers, and a security notice about timelock enforcement.
The direct bypass functions are intentionally excluded.
@Mosas2000
Add 40 unit tests for timelock utility module
0e73778 
Cover blocksRemaining edge cases, estimateTimeRemaining formatting,
getPendingChangeStatus transitions between NONE/PENDING/READY,
timelockProgress calculation at boundaries, formatBlockHeight with
null and locale handling, and formatBasisPoints conversion accuracy.
@Mosas2000
Add 18 unit tests for Clarity hex value parser
80b728f 
Test parseClarityValue with null inputs, primitive types including
bool, uint, and none, optional wrapping with some/none, ok/err
response unwrapping, and 0x prefix handling.
@Mosas2000
Add 19 unit tests for admin transaction builders
f325fd3 
Test all five timelocked transaction functions with mock contract
calls, verify PostConditionMode.Deny enforcement, validate fee
bounds checking, confirm bypass functions set-paused and
set-fee-basis-points are never invoked, and test callback wiring.
@Mosas2000
Add ESLint rules to ban direct bypass function references
88399f8 
Disallow string literals 'set-paused' and 'set-fee-basis-points'
in frontend source code using no-restricted-syntax. Each violation
shows a message directing developers to the timelocked alternatives
propose-pause-change and propose-fee-change.
@Mosas2000
Add changelog entry for timelock bypass mitigation
f8ce071 
Document all security fixes, new admin components, utility modules,
test suites, documentation, and corrections added in this branch
under the Unreleased section.
@Mosas2000
Add chainhook bypass detection module for admin event monitoring
51ace51 
Detect when set-paused or set-fee-basis-points bypass the timelock
by checking for contract-paused and fee-updated events without
corresponding timelocked proposal history. Include alert formatting
and admin event parsing for the chainhook callback server.
@Mosas2000
Integrate bypass detection into chainhook callback server
66987f9 
Import bypass detection module and scan all incoming events for
timelock bypass usage. Log security alerts when direct set-paused
or set-fee-basis-points calls are detected without corresponding
timelocked proposals. Also log all admin events for audit trail.
@Mosas2000
Add admin events and bypass detection API endpoints to chainhook server
d8c6f0a
@Mosas2000
Restrict admin navigation link to contract owner only
6884ca3
@Mosas2000
Add timelock progress bar to PendingChangeCard in admin dashboard
e9cb86d
@Mosas2000
Write admin operations guide with timelocked procedures and monitoring
1a532cf
@Mosas2000 Mosas2000 merged commit 22c3f1f into main Mar 10, 2026
3 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🟠 HIGH: set-paused bypasses timelock governance in tipstream.clar

1 participant

@Mosas2000